Unconditional Security of Single-Photon Differential Phase Shift Quantum Key 

Distribution 



O 



Kai Wen^, Kiyoshi Tamaki^"'^, and Yoshihisa Yamamoto^'^ 
^ Edward L. Ginzton Laboratory, Stanford University, Stanford, California 94305, USA 
2 ]SfTT Basic Research Laboratories, NTT Corporation, 
3-1 Morinosato Wakamiya Atsugi-Shi, Kanagawa, 243-0198, Japan 
^ CREST, JST Agency, 4-1-8 Honcho, Kawaguchi, Saitana, 332-0012, Japan 



O 

' * National Institute of Informatics, 2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo, 101-843, Japan 



. (Dated: October 4, 2009) 

O: 

' In this Letter, we prove the unconditional security of single-photon differential phase shift quantum 

I I < key distribution (DPS-QKD) protocol, based on the conversion to an equivalent entanglement-based 

protocol. We estimate the upper bound of the phase error rate from the bit error rate, and show 

-I— > ■ 

C ' that DPS-QKD can generate unconditionally secure key when the bit error rate is not greater than 

^ , . 4.12%. This proof is the first step to the unconditional security proof of coherent state DPS-QKD. 
CT. 

^ \ PACS numbers: 03.67.Dd, 03.67.Hk 
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\^ , Quantum key distribution (QKD) protocols are one of the most important applications of quantum information 

<N ; 

I theory. Great efforts have been devoted to prove the unconditional security of these protocols through noisy channels. 
The first QKD protocol, named Bennett and Brassard 1984 (BB84) protocol 1|, has been proven to be unconditionally 



secure [2|, [3 1 



' In 2002, Inoue et al. proposed the differential phase shift quantum key distribution (DPS-QKD) protocol ;4], where 



Alice encodes the key bits by preparing the relative phase shifts between two consecutive pulses in or tt and Bob 
employs a one-bit delay Mach-Zehnder (M-Z) interferometer to retrieve the key from the phase shifts. The advantages 
of DPS-QKD mainly lie in its simple and robust experimental implementation. Only one measurement basis is involved 
in the protocol, and thus the experiment requires minimum setup, namely, one source and two detectors. Also, for 
the BB84 protocol, Alice should generate a random base string to encode the key and Bob also needs to randomly 
select his measurement bases. However, in DPS-QKD, they do not need to perform these two steps. Furthermore, 
DPS-QKD utilizes the relative phases of the pulses which are not affected by the birefringence in fibers. Finally, by 
using coherent sources, DPS-QKD is secure against photon- number-splitting attack, because they can be detected 5|, 



while the BB84 protocol with coherent sources requires intensity modulators to generate decoy states to prevent 
such attack 6 L Thanks to these simplicities, experiments over long distances and with high bit rates have been 
performed 71, |8[. On the other hand, whether DPS-QKD is unconditionally secure is an important problem both 
from the practical and theoretical aspects. So far, the security against limited attacks such as the general attack for 
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individual photons[9] and the so-called sequential attack[10j have been analyzed. 

In this Letter, as the first important step towards the security proof of coherent state DPS-QKD, we present the 
proof of the unconditional security of DPS-QKD with a single-photon source against the most general attacks. This 
proof gives insight to the underlying security properties of DPS-QKD. By analyzing an equivalent entanglement- 
based DPS-QKD, we find that the phase error rate of each time slot can be upper-bounded by the bit error rate of 
the same time slot and its adjacent time slots. Thus, the unconditional security is achieved by performing privacy 
amplification based on the upper bound of the phase error rate. Thanks to the equivalence, we can apply the results 
to the prepare-and-measure DPS-QKD. 

Before constructing the entanglement-based protocol, we define the encoded states in the prepare-and-measure DPS- 
QKD. With the single-photon source, Alice splits the single-photon wavepackct into n pulses with identical amplitudes 
to form a block. Particularly, the state before encoding the secret key is |0o) = X]fe=i '^IK^'C) = X]fc=i l^k), 
where a[. is the creation operator of the pulse in the fc-th slot and \Dk) — a[. |vac). Then following the proposal of 
DPS-QKD, Alice encodes an (rt — l)-bit random secret key into this block. For an (n— l)-bit random but fixed integer 
j, we express its (n — l)-bit binary format as {jij2 • • ■ in-2jn-i)2- Then the encoded state of the block of a single 
photon is, = ^ [|Z?i) + EIUI-IF^-M^O] , where jX = ^ti J^- 

Given the above encoding scheme, we can construct the corresponding states in the entanglement-based protocol. 
The equivalence between the entanglement-based and the prepare-and-measure protocols is obtained by following the 
technique by Shor and Prcskill 3|. For each encoding block Alice prepares additional (n — 1) qubits which are stored 
without disturbances in her own quantum memory throughout the protocol. These qubits, labeled with Ai, - ■ ■ , ^n_i, 
are entangled with a single photon, labeled B in the corresponding block, which are described as 

10) = -_ [{\j,)a, ■ ■ ■ b„-l>A,._J ® \h)B] ■ (1) 

On Bob's side, after he receives the single photons, he first applies quantum non-demolition (QND) measurement to 
determine the number of incoming photons in a block and discard the blocks with multi photons or the vacuum. This 
step is necessary because the following entanglement purification protocol requires a well-defined qubit on his side. 
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FIG. 1: Schematics of the 1-bit delay M-Z interferometer 



The QND measurement commutes with all other operations on Bob's side. Therefore, in the prepare-and-measure 
protocol, Bob can replace the QND measurement by the photon number resolving (PNR) detectors which are capable 
of discriminating the vacuum, the single-photon state, and multi-photon states. Particularly, by using two PNR 
detectors. Bob only accepts the instances when one detector obtains the single-photon state and the other one obtains 
the vacuum state in one block. 

Then, the single photon goes to a 1-bit delay M-Z interferometer, shown in Fig. [1] An incoming photon state in 
is split into four different photon states in the two output ports and two consecutive time slots. Particularly, we 
obtain a\. \{u\. + ivl + u^^^^ — if^^^), where uj, and vl are the creation operators of the pulses of the time slot k 
in the two output ports. For convenience. Bob applies a 7r/2 phase rotation on each pulse in the bottom output port. 
Given \Uk) = wj^lvac) and \Vk) = vl\va,c), the operation of the interferometer {Mdps) on each \Dk) can be written as 

MDPs\Dk) = ^i\Uk) - \Vk) + \Uk+i) + \Vk+i)). (2) 



Bob further applies a hypothetical filtering operation in order to project the single photon into a two-level state 
required for the entanglement purification protocol. The filter operation is described by a set of Kraus operators 
F = {Fi, F2, • • • , Fn}, namely Fi = \Ui)(Ui\ + \Vi){Vi\Jor I = 2, ■ ■ ■ ,n and Fi = /- EL2 in which / is the identity 
matrix, namely, / ~ J^i^i {\Ui) {Ui \ + |V/)(V/|). Note that the projection operators commute with each other and 
represent monitoring the time slots of the detection events. Bob then publicly announces which time slot the photon 
was projected to. Alice and Bob will discard the inconclusive blocks where Bob obtains Fi. By its projection to a 
certain time slot I, the photon is in a well-defined qubit state. Particularly, we can define the Z-basis of the photon as 



{|/7i), representing whether it travels along the top or bottom output port of the interferometer. Accordingly, 

we define Bob's Pauh operators as Zb, = \Ui){Ui\ - \Vi){Vi\ and Xb, = \Ui){Vi\ + \Vi){Ui\. 

Finally, Alice and Bob should tackle the eavesdropping and the channel errors. On the one hand, when the 
channel is ideal and no eavesdropping exists, it is easy to show that Alice and Bob obtain a maximally entangled 
pair from each projected qubit. Particularly, Alice discards all the qubits on her side with the label other than 
1—1, in which I is Bob's projection outcome. Mathematically, it is equivalent to partially tracing these qubits in 
the state of Eq. ([T]). Combining with Bob's filter projection, Alice and Bob share the Bell state, namely, |^+) = 

^(|0)A,_,®|C/i)B + |l>A,_,®|l^)s). 

On the other hand, if the channel is noisy or there is an eavesdropper, Alice and Bob share a corrupted two-qubit 

state. In this case, Alice and Bob employ an appropriate entanglement purification protocol based on Calderbank- 
I I 

Shor-Steane (CSS) code 12], to distill the Bell state. If the entanglement purification protocol succeeds, the resulting 
smaller set of states shared by Alice and Bob will have very high fidelity. Using the argument that high fidelity 
implies low entropy |ll] or composability argument 13 1, Alice and Bob can generate an unconditionally secure key by 
measuring the distilled states in their own respective Z-basis. Therefore, the key to the unconditional security proof is 
whether they can estimate the bit error rate and the phase error rate, which is necessary for choosing an appropriate 
CSS code for the successful purification. As for the bit errors, Alice and Bob can estimate them by using test bits. 
However, in the prepare-and-measure protocol, since they cannot directly measure the phase errors of the test bits, 
they have to upper-bound them only from the observed quantities. 

In what follows, we concentrate only on the untested bits, and for the estimation of the phase error rate, we appeal 
to Azuma's inequality 



15l |. First, we define ( as the probability of observing a bit error in the ^-th time slot of 
the fc-th photon pair. We allow to be dependent on the previous k ~ 1 events, in other words, this probability is 
a conditional probability. Moreover, we define Nch^i as the number of the actual bit errors in the Z-th time slot after 
N-photon-pair emission. Similarly, we can define the sequence ^ and Cp.; for the phase errors in the l-t\\ time slot. 



A consequence of Azuma's inequality states that Pr_ 
e, both A e {h,p}, and all conclusive time slots I 



eA.i 



2^k = l t>A.l 



N 



> € 



< 2e for arbitrary positive number 



15|. Therefore, if we can find the relation, J2?=2P'pi — J2]^=2 ^iP^ 



for certain C2, • • • ,C„, the total phase error rate Cp — 2 can be bounded by the same relation, namely, 
Bp < 'Yl^=2 Ci^b,i- On the other hand, the random sampling theory states that etj is close to the measured bit error 



rate on the test bits with an exponentially small probability 



ill 



Eve's most general attacks entangle the whole blocks with her ancila. Focusing on one certain block, e.g., the k-th 



block, the attacks can be reduced to a Kraus operator acting only on this block, by the following two steps: Firstly, 
since Azuma's inequality requires conditional probabilities, we suppose that Alice and Bob have performed fictitious 
Bell measurements to test errors on the previous (k — 1) blocks. We project all the previous systems according to the 
outcomes and trace out the (fc — 1) blocks. Secondly, we trace out the {k + l),-th • • • , n-th blocks and Eve's ancila. 
The resulting operator is (Pkipk) = J2s Ei'^^^ pkEi''\ where pk is the unperturbed state of the k-th block. Because the 

(k) • 

actual measurement outcomes and Eve's coherent attacks are unknown, the operator El is arbitrary and dependent 
on arbitrary measurement outcomes of the previous (fc — 1) blocksjl5|. 



The linearity of the Kraus operator allow us to consider only one of its components, = (0^), an arbitrary 
(n X n)-dimension matrix acting on the single-photon state. The corrupted state of the k-th block becomes 
The final state after Bob's interferometer and the filter operation is ~ FiAIupsEs''^ {(j)) . Therefore, for this 

time slot, we can obtain the possibilities p^'^^' = (^P"* |-— — -^|'/'['^'') and p^^j = (^l*'"' |— — ^y^-— which are 
conditioned on arbitrary previous events. The calculations show that 



PbJ = 4^1 - ai,iP + - a/,i-iP + (|a/-i,iP H 1- |ai_i,i_2p + |a;_i,i+i|^ H h |a;_i,„p) + 

(|ai,ip + • • • + |au-2|' + |au+i|' + • • • + \aLn\% (3) 

Pp] =2^1 + • ■ ■ + + + ■■■ + (4) 

By observing that for any two complex numbers a and b, |ap + |6p < "^^^ {\a — b\^ + |ap), we derive that 
2"EL2pS-4«E^I2pS ^ [(l«i.2p + |a2,iP)-(|ai,2-a2,iP + |a2,iP)] + [(|a„-i,„|2 + |a„,„_i|2)-(|a„_i.„-a„,„_i|2^ 
K^iM < (1 + \/5)/2[(|ai,2 - a2,i|' + |a2,i|') + (|a«-i,„ - a„,„-iP + |a„_i,„P)] < (1 + V5)/2 x AnJ2fL^pi% or 
equivalently 'Y^^=2P'pl ^ (3 + "^)^^=2P'bi ■ should be emphasized that the relations are general for arbitrary 
matrix component and arbitrary previous measurement outcomes. Using Azuma's inequality, we therefore obtain 

n 

ep< (3 + V5)^e6,, = (3 + %/5)efc, (5) 

1=2 

where = X]r=2 ^b,i is the total bit error rate over all conclusive time slots. The derivation clearly demonstrates the 
essence of DPS-QKD in which the upper bound of the phase error rate in certain time slot can only be estimated by 
combining the bit error rates in the same and adjacent time slots. Note that this upper bound does not apply to the 
n = 2 case in which the phase error rate can be as high as 50% and we have no chance to generate the secret key. 
This is the case where Alice uses two orthogonal states and Eve has free access to the information. The upper bound 



is valid for n > 3 in which the states are mutually non-orthogonal and no unambiguous state discrimination exists 



This results share some similarity in the security proof of the Bennet 1992 protocol 16 1. 

Combining the above three arguments, we can derive the unconditionally secure key rate of the entanglement-based 
DPS-QKD and the single-photon DPS-QKD, namely, 

Rdps > POPS [l - H{eb) - H{i3 + V5)eb)^ , (6) 

where H{x) is the binary Shannon entropy, namely, H{x) — — a;log2(a;) — (1 — x) log2(l — x), andpops is the conclusive 
detector click rate per pulse in DPS-QKD. 

Finally, we compare the key rates of the unconditionally secure BB84 protocol {Rbbsa) 3|, DPS-QKD against 
general attack for individual photons {Rind) 9], and unconditionally secure DPS-QKD (Rdps)- We assume single- 
photon sources in all three protocols. In the presence of channel losses, we express that Rbbs-i = PBBSi [1 ^ 2_ff (eh)], 
and Rind = Find |^log2 1 ^ — — i/(ef,)|, where pbbm and pind are the conclusive detector click 

rates per pulse in the corresponding protocols. Here we adopt the result of DPS-QKD against general attack for 
individual photons[9] to the case with a single-photon source. We assume that the coding efficiency for the bit error 
correction approaches to Shannon limit in all three cases. When Rbbmi Rind and Rdps hit zero, the upper bound 
of the tolerable bit error rates for three protocols are found to be 11%, 6.09%, and 4.12% respectively. Note that in 
DPS-QKD the phase error rate is indirectly estimated by Mops and the filter while it is directly estimated in the 
BB84 protocol. This is an essential insight we obtained in this Letter, and this poor estimation results in lower error 
rate threshold of DPS-QKD compared to the one of the BB84 protocol. 

To simulate the resulting key rates, we take the parameters from Ref. 7[, where the dark count rate, the time 
window and the baseline error rate are 50 Hz, 50 ps and 2.3 % respectively. Therefore, the dark count rate per detector 
per time slot \s d — 2.5 x 10^^. We assume that all protocols use two detectors. So Pbb84 = + 2(i)/2, where rj is 
the total efficiency including the channel, the detectors and all other devices. In DPS-QKD, we further assume that 
the loss event happens equally on every pulse in the transmission, so that the probability of getting a conclusive event 
is {n — l)/rt. On the other hand, a dark count can occur in every time slot with equal probability. Therefore, by 
noting that Bob obtains at most 1 photon out of a block with n pulses, Pind = Pdps — '7('^ ~ l)/n^ + 2d{n — l)/n. 
Moreover, the bit error rates can be modeled as ef, = {erj + d) / {r] + 2d) for the BB84 protocol and ej, — [eri{n— l)/n^ + 
d{n — l)/n]/[ri{n — l)/n^ + 2d{n — l)/n] for DPS-QKD, where e is the baseline error rate given above. 

Fig. |2 (a) I and [2(b)] illustrate the secure key rates per pulse and the energy efficiencies, namely, the secure key rates 
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FIG. 2: Secure key rates per pulse [(a)] and per emitting photon ["(b) | as a function of the total loss. Red solid line: Rbbsa', blue 
dashed line and green dash-dot line; Rdps with n = 3, 10 respectively; black dash-dot line and light blue dashed line: Rind 
with n = 3, 10 respectively. 



per emitting photon. As expected, the unconditionally secure key rate and the upper bound of the tolerable bit 
error rate of DPS-QKD are lower than those of DPS-QKD against general attack for individual photons. From Fig. 



2(b) larger n has higher energy efficiency because every photon received by Bob has lower chance to be discarded. 
However, larger n will decrease the probability of getting a signal from a pulse and increase the dark count rate per 



block, and thus lead to lower secure key rate per pulse and lower achievable distance as shown in Fig. 2(a) Based 
on these observations, we find that n = 3 yields the optimal secure key rate per pulse and the maximum achievable 
distance. 

In conclusion, we have proven the unconditional security of DPS-QKD with a single-photon source and evaluated 
its secure key rate. The security is based on the non-orthogonality of the encoding states for n > 3 and Bob's 1-bit 
delay operation. We hope that our unconditional security proof is a first step toward the security proof of coherent 
state DPS-QKD. 
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